MORE INFORMATION

Write Filter is one of the embedded enabling components for Windows NT Embedded 4.0. The purpose of this component is to allow the OS to boot from any read-only media such as flash media, CD-ROM, or protected hard drive while still giving the appearance of read-write access to the operating system. The write filter does this by caching all attempted disk writes and returning success to the process that requested the I/O. The ramification of this is that any disk writes that an application makes are preserved while power is maintained but lost when the system is shut down or power is unexpectedly cut-off.

If a design requires that the OS be protected but still needs ability to log data to persistent storage, the recommended alternative is to load the OS onto some read-only media protected by the Write Filter component, and then have a second source of persistent storage (a hard drive or a second partition on a single hard drive) that is not marked read-only and not protected by Write Filter. This approach will protect the OS and allow data logging to the unprotected partition. However, this approach will not protect the writable partition from corruption. The important point to remember is that there are no guarantees of integrity for disk writes when the power is removed, regardless of the file system used (FAT or NTFS).

If your application is using the NTFS file system, the file system will usually recover from power loss without data corruption on the data partition through the use of log files, checkpoint records, and the commit/rollback architecture of NTFS. However, no file system can guarantee recoverability from catastrophic power loss when the correct operation of the hardware is in question. Because disk controllers are electronic devices and may behave very unpredictably as their power supply weakens, the only way to completely protect a system from power-off corruption is by using a combination of software (Write Filter and NTFS) and hardware (uninterruptible power supply) solutions. Such a design could provide enough internal power for the OS to commit all disk writes (time is variable but typically 8 to 12 seconds on a Windows NT Embedded-based system).

Essentially, the hardware solution must provide one of the following:

• An interrupt notification that will trigger an orderly shutdown, as well as enough standby power to finish the shutdown. This method will ensure that the system is shut down and all file writes are committed by NTFS. -or-
  

• Just enough power for the shutdown, and a device driver that periodically forces the cache to be flushed to disk. This method is more dangerous in that it is possible that even if the cache is flushed, the operating system will not complete its other shutdown routines and therefore data corruption is a possibility.